Dimitris Karakasilis
Dimitris Karakasilis
For reference, skipping formatting of the disk was broken for a while: https://github.com/kairos-io/kairos/issues/2281 Added a test on ensure we don't break it again: https://github.com/kairos-io/kairos/pull/2291
sbat is only understood and used by the shim (https://uapi-group.org/specifications/specs/unified_kernel_image/#uki-components). We don't use the shim so we can't rely on sbat for revocation.
2 things: - What's the worse that can happen if we just rely on `dbx` to blacklist images ([revocation by image hash](https://github.com/rhboot/shim/blob/main/SBAT.md)). Do we expect this to be so common...
I think I have a preference for my second suggestion (keys rotation) which blacklists every past image by enrolling a new key. Keys can also be appended in dbx, which...
First approach to use sbctl here: https://github.com/Foxboron/sbctl/pull/296
Also suggested some preparation work here: https://github.com/Foxboron/sbctl/discussions/297
In order to get a cert or an image blacklisted in dbx, in thousands of machines with no physical access, we'll need to run commands in user mode (e.g. using...
Another thing to notice, in qemu, after enrolling once, it's not possible to enroll again (not even with `-a`): ``` [root@fedora kairos]# efi-readvar | grep dbx Variable dbx has no...
In qemu I get strange results. I tried the following sequence of commands with all three PK, KEK and db in qemu with different results: ```bash $ export UUID=`uuidgen` $...
I even added the certificate's signature hash to ensure the one in dbx is the PK one: ``` [root@fedora kairos]# ./sbctl list-enrolled-keys PK: kairos - 927dc1119f35d2ea18e276b2d7d46492b42d00c2a4af3b75fbda2c797d1cb575 KEK: kairos - 3e8ed3a5bcd2464c7025eb5ef61945d189df1c30d58c7552710265e20340331b...